[jira] [Updated] (LOG4J2-3214) update security page text for CVE-2021-44228

Remko Popma (Jira) Mon, 13 Dec 2021 01:04:07 -0800


     [ 
https://issues.apache.org/jira/browse/LOG4J2-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Remko Popma updated LOG4J2-3214:
--------------------------------
    Description: 
I propose to update the text for the mitigation section of CVE-2021-44228 on 
[https://logging.apache.org/log4j/2.x/security.html]

Changes: add Log4j 1.x section, and format the Log4j 2.x section as a bullet 
point list for improved readability.
----
*Log4j 1.x mitigation* - Audit your logging configuration to ensure it has no 
{{JMSAppender}} configured. Log4j 1.x configurations without JMSAppender are 
not impacted by this vulnerability.

{*}Log4j 2.x mitigation{*}: (any one of the below will mitigate the 
vulnerability)
 * If possible, upgrade to the latest version: 2.15.0 or later.
 * In releases from 2.7 through 2.14.1, you can modify your logging 
configuration to switch off message lookups:
** use {{{}%m{nolookups{}}}} instead of just {{{}%m{}}}
** use {{{}%msg{nolookups{}}}}  instead of just {{{}%msg{}}}
** use {{{}%message{nolookups{}}}} instead of just {{{}%message{}}}
 * In releases >=2.10, you can:
 ** set system property {{log4j2.formatMsgNoLookups}} to {{true}} (see 
[details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties])
 ** or set environment variable {{LOG4J_FORMAT_MSG_NO_LOOKUPS}} to {{true}} 
(see 
[details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]).
* For releases from 2.0-beta9 to 2.7, the only mitigation is to remove the 
{{JndiLookup}} class from the classpath: {{zip \-q \-d log4j\-core\-*.jar 
org/apache/logging/log4j/core/lookup/JndiLookup.class}}.

  was:
I propose to update the text for the mitigation section of CVE-2021-44228 on 
[https://logging.apache.org/log4j/2.x/security.html]

Changes: add Log4j 1.x section, and format the Log4j 2.x section as a bullet 
point list for improved readability.
----
*Log4j 1.x mitigation* - Audit your logging configuration to ensure it has no 
{{JMSAppender}} configured. Log4j 1.x configurations without JMSAppender are 
not impacted by this vulnerability.

{*}Log4j 2.x mitigation{*}: (any one of the below will mitigate the 
vulnerability)
 * If possible, upgrade to the latest version: 2.15.0.
 * In releases >=2.10, you can:
 ** set system property {{log4j2.formatMsgNoLookups}} to {{true}} (see 
[details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties])
 ** or set environment variable {{LOG4J_FORMAT_MSG_NO_LOOKUPS}} to {{true}} 
(see 
[details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]).
 * In releases from 2.7 through 2.14.1, you can modify your logging 
configuration to specify the message converter as {{{}%m{nolookups{}}}} instead 
of just {{{}%m{}}}.
 * For releases from 2.0-beta9 to 2.7, the only mitigation is to remove the 
{{JndiLookup}} class from the classpath: {{zip \-q \-d log4j\-core\-*.jar 
org/apache/logging/log4j/core/lookup/JndiLookup.class}}.


> update security page text for CVE-2021-44228
> --------------------------------------------
>
>                 Key: LOG4J2-3214
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-3214
>             Project: Log4j 2
>          Issue Type: Documentation
>            Reporter: Remko Popma
>            Priority: Major
>
> I propose to update the text for the mitigation section of CVE-2021-44228 on 
> [https://logging.apache.org/log4j/2.x/security.html]
> Changes: add Log4j 1.x section, and format the Log4j 2.x section as a bullet 
> point list for improved readability.
> ----
> *Log4j 1.x mitigation* - Audit your logging configuration to ensure it has no 
> {{JMSAppender}} configured. Log4j 1.x configurations without JMSAppender are 
> not impacted by this vulnerability.
> {*}Log4j 2.x mitigation{*}: (any one of the below will mitigate the 
> vulnerability)
>  * If possible, upgrade to the latest version: 2.15.0 or later.
>  * In releases from 2.7 through 2.14.1, you can modify your logging 
> configuration to switch off message lookups:
> ** use {{{}%m{nolookups{}}}} instead of just {{{}%m{}}}
> ** use {{{}%msg{nolookups{}}}}  instead of just {{{}%msg{}}}
> ** use {{{}%message{nolookups{}}}} instead of just {{{}%message{}}}
>  * In releases >=2.10, you can:
>  ** set system property {{log4j2.formatMsgNoLookups}} to {{true}} (see 
> [details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties])
>  ** or set environment variable {{LOG4J_FORMAT_MSG_NO_LOOKUPS}} to {{true}} 
> (see 
> [details|https://logging.apache.org/log4j/2.x/manual/configuration.html#SystemProperties]).
> * For releases from 2.0-beta9 to 2.7, the only mitigation is to remove the 
> {{JndiLookup}} class from the classpath: {{zip \-q \-d log4j\-core\-*.jar 
> org/apache/logging/log4j/core/lookup/JndiLookup.class}}.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Updated] (LOG4J2-3214) update security page text for CVE-2021-44228

Reply via email to